From 5442b82f2a91b517507a320f9d91828cc2fe794e Mon Sep 17 00:00:00 2001
From: Arnav Singh <arsing@microsoft.com>
Date: Tue, 16 Aug 2022 19:48:30 -0700
Subject: [PATCH] Fix all identity certs to create P-256 / RSA-2048 key pairs.

Fixes #403
---
 cert/aziot-certd/src/lib.rs              | 2 +-
 cert/aziot-certd/src/renewal.rs          | 2 +-
 identity/aziot-identityd/src/identity.rs | 2 +-
 identity/aziot-identityd/src/renewal.rs  | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cert/aziot-certd/src/lib.rs b/cert/aziot-certd/src/lib.rs
index 0956775d5..e69bcb219 100644
--- a/cert/aziot-certd/src/lib.rs
+++ b/cert/aziot-certd/src/lib.rs
@@ -521,7 +521,7 @@ async fn create_cert_inner<'a>(
                                 .key_client
                                 .create_key_pair_if_not_exists(
                                     &x509.identity.pk,
-                                    Some("ec-p256:rsa-4096:*"),
+                                    Some("ec-p256:rsa-2048:*"),
                                 )
                                 .await?;
                             let cstr = CString::new(handle.0)?;
diff --git a/cert/aziot-certd/src/renewal.rs b/cert/aziot-certd/src/renewal.rs
index fd0af2b52..eb0bf2e6f 100644
--- a/cert/aziot-certd/src/renewal.rs
+++ b/cert/aziot-certd/src/renewal.rs
@@ -193,7 +193,7 @@ impl cert_renewal::CertInterface for EstIdRenewal {
 
             let key_handle = self
                 .key_client
-                .create_key_pair_if_not_exists(&key_id, Some("ec-p256:rsa-4096:*"))
+                .create_key_pair_if_not_exists(&key_id, Some("ec-p256:rsa-2048:*"))
                 .await
                 .map_err(|_| cert_renewal::Error::retryable_error("failed to generate temp key"))?;
 
diff --git a/identity/aziot-identityd/src/identity.rs b/identity/aziot-identityd/src/identity.rs
index 4104ea351..31a08146a 100644
--- a/identity/aziot-identityd/src/identity.rs
+++ b/identity/aziot-identityd/src/identity.rs
@@ -856,7 +856,7 @@ impl IdentityManager {
 
                 let key_handle = self
                     .key_client
-                    .create_key_pair_if_not_exists(identity_pk, Some("rsa-2048:*"))
+                    .create_key_pair_if_not_exists(identity_pk, Some("ec-p256:rsa-2048:*"))
                     .await
                     .map_err(|err| Error::Internal(InternalError::CreateCertificate(err.into())))?;
 
diff --git a/identity/aziot-identityd/src/renewal.rs b/identity/aziot-identityd/src/renewal.rs
index 4ab376d08..72efafc7f 100644
--- a/identity/aziot-identityd/src/renewal.rs
+++ b/identity/aziot-identityd/src/renewal.rs
@@ -55,7 +55,7 @@ impl IdentityCertRenewal {
             }
 
             let key_handle = key_client
-                .create_key_pair_if_not_exists(key_id, Some("rsa-2048:*"))
+                .create_key_pair_if_not_exists(key_id, Some("ec-p256:rsa-2048:*"))
                 .await
                 .map_err(|err| {
                     crate::Error::Internal(crate::InternalError::CreateCertificate(
@@ -163,7 +163,7 @@ impl cert_renewal::CertInterface for IdentityCertRenewal {
 
             let key_handle = self
                 .key_client
-                .create_key_pair_if_not_exists(&key_id, Some("rsa-2048:*"))
+                .create_key_pair_if_not_exists(&key_id, Some("ec-p256:rsa-2048:*"))
                 .await
                 .map_err(|_| cert_renewal::Error::retryable_error("failed to generate temp key"))?;